Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
mzQcZawXvh.exe

Overview

General Information

Sample Name:mzQcZawXvh.exe
Analysis ID:589699
MD5:514837c22746ae83fad96926ad2ddf83
SHA1:e23e87f578c20f743ca1460d5e744c10b629cc16
SHA256:beced991de014438e5a42627fd44721a06fd4fa67b8a58319fc00eb6316169a1
Tags:BitRATexeRAT
Infos:

Detection

BitRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected BitRAT
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Antivirus detection for URL or domain
Hides threads from debuggers
Machine Learning detection for sample
Injects a PE file into a foreign processes
Contains functionality to hide a thread from the debugger
C2 URLs / IPs found in malware configuration
Possible FUD Crypter (malicious underground PE packer) detected
Uses dynamic DNS services
Uses 32bit PE files
Yara signature match
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Found evasive API chain (date check)
Sleep loop found (likely to delay execution)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Found evasive API chain (may stop execution after checking a module file name)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
PE file contains strange resources
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Installs a global mouse hook
Found large amount of non-executed APIs
Creates a process in suspended mode (likely to inject code)

Classification

  • System is w10x64
  • mzQcZawXvh.exe (PID: 5872 cmdline: "C:\Users\user\Desktop\mzQcZawXvh.exe" MD5: 514837C22746AE83FAD96926AD2DDF83)
    • mzQcZawXvh.exe (PID: 5012 cmdline: "C:\Users\user\Desktop\mzQcZawXvh.exe" MD5: 514837C22746AE83FAD96926AD2DDF83)
  • cleanup
{"Host": "toopdyno2.duckdns.org", "Port": "55140", "Tor Port": "0", "Install Dir": "0", "Install File": "0", "Communication Password": "3cd2623273605167e72c665ad9347c60", "Tor Process Name": "tor"}
SourceRuleDescriptionAuthorStrings
00000001.00000000.252764032.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_BitRATYara detected BitRATJoe Security
    00000001.00000000.252764032.0000000000400000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_BitRATDetects BitRAT RATditekSHen
    • 0x33bbf0:$s1: \plg\
    • 0x33bd70:$s3: files_delete
    • 0x33a9bc:$s9: ddos_stop
    • 0x33bbd0:$s10: socks5_srv_start
    • 0x33bdb8:$s16: klg|
    • 0x33a9ec:$s17: Slowloris
    • 0x33bc60:$s18: Bot ID:
    • 0x33c198:$t1: <sz>N/A</sz>
    00000001.00000000.251383367.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_BitRATYara detected BitRATJoe Security
      00000001.00000000.251383367.0000000000400000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_BitRATDetects BitRAT RATditekSHen
      • 0x33bbf0:$s1: \plg\
      • 0x33bd70:$s3: files_delete
      • 0x33a9bc:$s9: ddos_stop
      • 0x33bbd0:$s10: socks5_srv_start
      • 0x33bdb8:$s16: klg|
      • 0x33a9ec:$s17: Slowloris
      • 0x33bc60:$s18: Bot ID:
      • 0x33c198:$t1: <sz>N/A</sz>
      00000001.00000000.246514986.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_BitRATYara detected BitRATJoe Security
        Click to see the 13 entries
        SourceRuleDescriptionAuthorStrings
        1.0.mzQcZawXvh.exe.400000.5.raw.unpackJoeSecurity_BitRATYara detected BitRATJoe Security
          1.0.mzQcZawXvh.exe.400000.3.unpackJoeSecurity_BitRATYara detected BitRATJoe Security
            1.0.mzQcZawXvh.exe.400000.0.unpackJoeSecurity_BitRATYara detected BitRATJoe Security
              1.0.mzQcZawXvh.exe.400000.1.unpackJoeSecurity_BitRATYara detected BitRATJoe Security
                1.0.mzQcZawXvh.exe.400000.2.unpackJoeSecurity_BitRATYara detected BitRATJoe Security
                  Click to see the 36 entries

                  There are no malicious signatures, click here to show all signatures.

                  Source: Process startedAuthor: frack113: Data: Command: "C:\Users\user\Desktop\mzQcZawXvh.exe" , CommandLine: "C:\Users\user\Desktop\mzQcZawXvh.exe" , CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\mzQcZawXvh.exe, NewProcessName: C:\Users\user\Desktop\mzQcZawXvh.exe, OriginalFileName: C:\Users\user\Desktop\mzQcZawXvh.exe, ParentCommandLine: "C:\Users\user\Desktop\mzQcZawXvh.exe" , ParentImage: C:\Users\user\Desktop\mzQcZawXvh.exe, ParentProcessId: 5872, ProcessCommandLine: "C:\Users\user\Desktop\mzQcZawXvh.exe" , ProcessId: 5012

                  Click to jump to signature section

                  Show All Signature Results

                  AV Detection

                  bar